I found this bug when I was developing a new site, and was testing using DOM to create new script elements dynamically. The code works without crashing in all browsers I have tried, except for Internet Explorer. I have tried this in both 6 and 7 with the same end result (though Internet Explorer 6's crash is much more nasty).Bug/Exploit:
It appears there is problem when a script is dynamically loaded and calls a function to remove itself from the page multiple times. It appears that the this sequence of events has to be ran twice for it to happen, and a timer must be used to call the start of the second run (very weird).
Here is the code I have finally came up with and is demonstrated later on this page:
Contents of 'crash.js'
To trigger this application, you must make a call to the c() function, which should immediately crash IE.
I have also tried variations of this code which seemed to have not worked the same way:
Please note, that the above example code is more lengthy than it has to be, and that an anchor is not required to execute the crash.